Other authentication methods are not impacted by this issue. This issue can be mitigated by configuring GlobalProtect to require users to authenticate with their credentials. Until PAN-OS software is upgraded to a fixed version, enabling signatures for Unique Threat ID 59884 on traffic destined for the GlobalProtect portal, gateway, or VPN will block attacks against CVE-2020-2050. This issue is fixed in PAN-OS 8.1.17, PAN-OS 9.0.11, PAN-OS 9.1.5, PAN-OS 10.0.1, and all later PAN-OS versions. Palo Alto Networks is not aware of any malicious exploitation of this issue. Severity: HIGHĬVSSv3.1 Base Score: 8.2 ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) Exploitation Status Other forms of authentication are not impacted by this issue. This issue can not be exploited if client certificate authentication is not in use. This issue is only applicable to PAN-OS appliances using the GlobalProtect VPN, gateway, or portal configured to allow users to authenticate with client certificate authentication. PAN-OS 10.0 versions earlier than PAN-OS 10.0.1. PAN-OS 9.1 versions earlier than PAN-OS 9.1.5 PAN-OS 9.0 versions earlier than PAN-OS 9.0.11 PAN-OS 8.1 versions earlier than PAN-OS 8.1.17
In configurations where client certificate verification is used in conjunction with other authentication methods, the protections added by the certificate check are ignored as a result of this issue.
Impacted features that use SSL VPN with client certificate verification are: GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, GlobalProtect Large Scale VPN A remote attacker can successfully authenticate as any user and gain access to restricted VPN network resources when the gateway or portal is configured to rely entirely on certificate-based authentication. Fixed an issue where, when the GlobalProtect app was installed on Windows devices, the app was unable to translate the CA certificate that contained unicode characters for certificate authentication, and as a result, client certificate authentication failed. An authentication bypass vulnerability exists in the GlobalProtect SSL VPN component of Palo Alto Networks PAN-OS software that allows an attacker to bypass all client certificate checks with an invalid certificate.